Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp842369yba; Wed, 24 Apr 2019 10:28:34 -0700 (PDT) X-Google-Smtp-Source: APXvYqxNQWI7d79aUzMbDOs8ZN5k+QKYnxUKMg0VQLsVtbth6h/g37g2zcm4CmKm4ff40pmlVU3x X-Received: by 2002:a62:fb0a:: with SMTP id x10mr1194698pfm.179.1556126914502; Wed, 24 Apr 2019 10:28:34 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1556126914; cv=none; d=google.com; s=arc-20160816; b=Niu6+GbXlY8AKJGfansDUaF8af7VQqOOLL5/ep5FzHrKDznefwjd1mHkJYFRLemDjX 8bNcouIu/SOvcPT1gIZtEcAO6OpfA3VO8RXq46KTJEv/nyNxXf3v45rLCDm5E/UlTOyc evvE5bncG4YAcFZkyMiH3qtEbb474aHVjS1DrSGLxOf26iufQ5yXbuX2JArNCShzazNX 5xH0GiQOB99Kna2ukX+7sPoc6VVILQOWKM8w/l5msmOrUTIx6CzqdCRItgFjrU68HPCD UTnMZSwNFRpQsbakhXBvwYWXHiWbCTl+5pBD3vSsfgqKenbwtwenEsBXpEpdz+qGjCD/ fNCw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=UCVVtxAIQiNJvMgDoGHI4+MFOapuhxsUBEm9W7ftaM8=; b=tMfYWbKKkxyWWWnHwJdZiUURM1kXrHP2KiMyMzbnMTTBQIQemShrgbtfhZ12lHYLgh SFZmUUpJ9Nnfuu8Z7Gxnf4Xq7tWmsVml/MO2wVBpVlT9Jl4imAmqtQlQTVQhzeJfa2m4 mo1tqfyvamRJetNYaOc4ahW8Ba9hT0p+pNxG0hFny4uQWxkOljtz3h8fI9eeO3kL1lST RdjielV4L+eurCn5GkzUJ7kbOv7W7NylVwqesfmcG0Fus2dCnzIOzyZ8u42OFG7sdjch rRnsNPHwbMA6PBcT65Z4RrRX8hSjGt+EtEqUQXNg1e/w6sqwIstSjAdbLHZsSFS/Wq75 eQ9A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=BLpi66kL; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id a22si19826961pfc.217.2019.04.24.10.28.19; Wed, 24 Apr 2019 10:28:34 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=BLpi66kL; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2390154AbfDXR0F (ORCPT + 99 others); Wed, 24 Apr 2019 13:26:05 -0400 Received: from mail.kernel.org ([198.145.29.99]:52022 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2390131AbfDXR0D (ORCPT ); Wed, 24 Apr 2019 13:26:03 -0400 Received: from localhost (62-193-50-229.as16211.net [62.193.50.229]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id C20B221903; Wed, 24 Apr 2019 17:26:02 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1556126763; bh=YoMf8MXUdVRAhakUKjCUZERg4lak23Jtcb5RKtOF4HM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=BLpi66kLnqaaODIw1wiViJ1inuDt64igClEHA5K679cngfBej8gPkBbhk4m2Q63yC I1BfOBwM6Chc0yD5C9O3yig/vbq08JW+XcmdWygJKhCwPkrkcNrwA73au0aYT9l/3e 4cl4/QUAs7Rg90IbSkHza0uXQNm4r4+6/JHTmPYw= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+48df349490c36f9f54ab@syzkaller.appspotmail.com, Takashi Iwai Subject: [PATCH 4.9 42/44] ALSA: info: Fix racy addition/deletion of nodes Date: Wed, 24 Apr 2019 19:10:20 +0200 Message-Id: <20190424170901.662158897@linuxfoundation.org> X-Mailer: git-send-email 2.21.0 In-Reply-To: <20190424170839.924291114@linuxfoundation.org> References: <20190424170839.924291114@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Takashi Iwai commit 8c2f870890fd28e023b0fcf49dcee333f2c8bad7 upstream. The ALSA proc helper manages the child nodes in a linked list, but its addition and deletion is done without any lock. This leads to a corruption if they are operated concurrently. Usually this isn't a problem because the proc entries are added sequentially in the driver probe procedure itself. But the card registrations are done often asynchronously, and the crash could be actually reproduced with syzkaller. This patch papers over it by protecting the link addition and deletion with the parent's mutex. There is "access" mutex that is used for the file access, and this can be reused for this purpose as well. Reported-by: syzbot+48df349490c36f9f54ab@syzkaller.appspotmail.com Cc: Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman --- sound/core/info.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) --- a/sound/core/info.c +++ b/sound/core/info.c @@ -724,8 +724,11 @@ snd_info_create_entry(const char *name, INIT_LIST_HEAD(&entry->children); INIT_LIST_HEAD(&entry->list); entry->parent = parent; - if (parent) + if (parent) { + mutex_lock(&parent->access); list_add_tail(&entry->list, &parent->children); + mutex_unlock(&parent->access); + } return entry; } @@ -809,7 +812,12 @@ void snd_info_free_entry(struct snd_info list_for_each_entry_safe(p, n, &entry->children, list) snd_info_free_entry(p); - list_del(&entry->list); + p = entry->parent; + if (p) { + mutex_lock(&p->access); + list_del(&entry->list); + mutex_unlock(&p->access); + } kfree(entry->name); if (entry->private_free) entry->private_free(entry);